Basic reports for SO Linux, Unix, Windows, Solaris ...
I need to make some basic report rules for many SO (mostly linux and WIndows), so I was thinking to use 'event.cat.name' meta, because I guess this meta exist for all SOs logs. So I was wondering:
Is there a list of all possible values of this meta?
How this meta is generated? Because I can't see it on the device's parser.
Is it correct suppose that this meta is generated for all SOs log? And have the same value between them? Eg: All event of user successful logins (no matter the device type) have <event.cat.name = 'user.activity.successful logins'>
Is there other metakey that works better than "event.cat.name" for this kind of reports?
My goal is crete reports like: successful logins, Login fail, user changes, ect.
- Community Thread
- Forum Thread
- Reporting Help
- RSA NetWitness
- RSA NetWitness Platform